Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter
Hang on to the netting. This is going to be one long and bumpy ride!
Digital Rags
There is some great on-line periodical reading on the webs. I like keeping some handy for down-time reading between meetings or while waiting for a vendor to show up.
- Into The Boxes – This is an exciting new digital forensics and incident response “eZine”. Clearly a work of love and detail by contributors such as Didier Stevens, Don C. Weber, Harlan Carvey, and Jamie Levy. You can’t not stop by and add this to your watch-list (the good kind).
- Into The Boxes: Issue 0×0 – The premiere release (PDF Download link). Jam packed with great articles such as:
Windows Box: Windows 7 UserAssist Registry Keys by Didier Stevens.
This is an analysis of the new UserAssist registry keys binary data format used in Windows 7 and Windows 2008 R2.
*nix Box: Red Hat Crash Memory Forensics – Jamie Levy
This article covers the installation and use of Redhat Crash Utility for Linux memory forensics.
Software Box: Beware The Preview Pane – Don C. Weber
A quick dip into the preview pane functionality provided by AccessData’s FTK Imager and FTK Imager Lite.
Squawk Box: PCI Interview with Harlan Carvey
An interview about digital forensics and incident response as it pertains to Payment Card Industry-related investigations.
Actually, the “funnest” article for me wasn’t one of these but a "quick-tip” by Don C. Weber that reminds us that before you toss out/destroy that portable USB hard drive, it might be worth cracking open the shell to see if it has a re-purpose-able SATA to mini-USB powered hard-drive adapter. Sure you can buy a kit, but if the drive is bad, this might make a quick and “free” hardware tool grab.
- (IN)SECURE Magazine issue 23 released. PDF format eZine including topics such as…
Table of contents
- Microsoft's security patches year in review: A malware researcher's perspective
- The U.S. Department of Homeland Security has a vision for stronger information security
- Q&A: Didier Stevens on malicious PDFs
- Protecting browsers, endpoints and enterprises against new Web-based attacks
- Mobile spam: An old challenge in a new guise
- Study uncovers alarming password usage behavior
- Ask the social engineer: Practice
- Jumping fences
- the ever decreasing perimeter.
Linkposts, Tools, and Lists Extraordinaire
If you haven’t already encountered these, all great posts with a wealth of tips and tools to supplement your knowledgebase.
- Linkilicious in 2010 – Windows Incident Response blog.
- When a tool is just a tool, pt II – Windows Incident Response blog. Harlan goes on a tear about the role “tools” have (commercial titans or the lesser-known gods) as being a focus in case testimony. As Harlan wisely sages:
…all tools should be considered just for what they are...tools.
What should matter most is the process used and documentation created by the analyst. If you thoroughly document what you've done, then why shouldn't you be able to testify about it on the stand, regardless of the tools used? I know a few analysts who've documented their work such that someone else (i.e., LE) could validate their findings via commercial tools (because that's what the LE analyst was most comfortable with) and then testify about the "findings".
- Link-idy link-idy – Windows Incident Response blog. More tools and analysis tips.
- Even More Linky Goodness.... – Windows Incident Response blog. Yep. This batch includes some memory-focused items as well as links to some images for practicals.
- More Linky Goodness, plus – Windows Incident Response blog. Neat stuff with recovering deleted registry data in unallocated hive space.
- Forensics: Beverages Aside, A Look at Incident Response Tools - Praetorian Prefect – A most excellent and full-bodied post with a nicely structured collection of methods and tools to help in incident response. This is one of those posts you want to bookmark and keep coming back to. Definitely KB-level material here.
- Looking at IR Tools – Windows Incident Response blog. Older post from 2006 that still stands with a great roundup of IR tools, most all freeware.
- The Value of Push Button Computer Forensics - Jamie Morris crosslinks to discussions on on-click incident and forensics response. Again is the solution in the tools or the training and skill of the analyst? My money will always be on the analyst. Although well designed (and used) tools can speed the work the analyst must do and allow faster sifting of raw data.
- Plugin Browser - New RegRipper Tool – Windows Incident Response blog. New tool to help you understand what exactly the RegRipper plugins do and how they can enhance and focus your registry analysis with it.
- SFDUMPER Selective file dumper by Nanni Bassetti & Denis Frati spotted on PenTestIT. Linux based tool (love to see a Windows port) that allows you to sweep a system and collect all the files of a particular type or filter.
- Gizmo Drive - (freeware) – Tool to mount ISOs, encrypted hard drive images to a virtual drive. Updated on 12-09-2009.
Network Forensic Updates
New updates to awesome tools and some supporting materials to boot.
- NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer - (updated) - (download on SF) – Version 0.91 released 11-22-2009.
- Xplico - Internet Traffic Decoder - (updated) – Version 0.5.4. Included in the DEFT Vx5 LiveCD forensics build or the Linux package files here. This and the previous 0.5.3 build update includes feature adds such as:
- Facebook web chat dissector
- New XI based on CakePHP 1.2.5
- New representation of images
- For each image you can see (with the proxy enabled) the page where the image is contained
- WLAN and LLC basic dissectors
- HTTP dissector Improvements
- snoop Packet Capture File Format as input file
- DNS dissector with graphical representation in Xplico Interface (XI)
- NNTP dissector
- PPPOE dissector
- direct live acquisition from XI
- default CLI dispatcher in command line execution
- file extension for the HTTP contents
- Network Monitor : No Frames Captured Due to Disk Quota – Reminder that if you are capturing packet data, you better be sure you’ve got the room to store it! Depending on the traffic and utilization, you can fill up your disk storage very quickly!
- Technology Pathways has a fairly recent 2009 presentation on Introduction to Network Forensics (PDF)
Forensic/IR LiveCD Updates
Even though I am a Windows medium guy, I still make sure to carry a number of the most recent (and some older) Linux LiveCD forensic/IR CD’s. There are just some tools that don’t have a good Windows counterpart, and while nothing beats a physical read/write blocker, I’d rather trust some of these than nothing at all when capturing a system image.
Quietly released, these distros are well worth the time and effort to download and burn.
- DEFT Linux v5 and DEFT Linux v5x with Xplico - Computer Forensics live cd. From the developer’s descriptions:
DEFT Linux v5 is based on the new Xubuntu Kernel 2.6.31 (Linux side) and the DEFT Extra 2.0 (Computer Forensic GUI) with the best freeware Windows Computer Forensic tools ; it isn’ a customization of Xubuntu like the old version, it is a new concept of Computer Forensic live system that use LXDE as desktop environment and thunar file manager, mount manager as tool for device management, dhash2, guymager, dcfldd, ddrescue and linen as forensic imager tools, sleuthkit 3.01 andvautopsy 2.21 as landmark for the disk forensic, nessus 4 as security scanner and much more like:
- an advanced file and directory researcher
- foremost, scalpel and photorec carving tools
- a complete support for the most used file systems
- a complete support for logical volume manager
- a complate support for afflib and ewflib support
- a very powerful tools for network forensic as Xplico, wireshark, kismet, ettercap and nmap
- a very powerful tool for identify file type from their binary signatures (TrID)
- the last version of ophcrack, the password cracker based on rainbow tables and john the ripper password cracker
- chkrootkit, rkhunter and exploit scanner
- clam 4.15 virus scanner
- steganography detection software as outgess
- tool for screenshot as take screen shot and video screen capture as record my desktop
- deft-mount script for mount device in read only
For a complete list, please visit the package list page.
There are two DEFT Linux v5 release, one dedicated to disk forensic (DEFT v5) and one dedicated to network and cell forensic (DEFT Vx5); DEFT Vx5 contain Xplico.
- CAINE Live CD – Version 1.5 – I really like this one as it (like Helix) comes with a Linux boot side and a Windows IR auto-launching utility side. Per developer Nanni Bassetti :
The distro is open source, the Windows side (Wintaylor) is open source and, the last but not the least, the distro is installable, so giving the opportunity to rebuild it in a new brand version, so giving a long life to this project ....
CHANGELOG CAINE 1.5 "Shining"
Kernel 2.6-24.25 updated.
ADDED:
lnk_parse
lnk.sh
mork
steghide
UserAssist
dos2unix
chntpw
tkdiff
xdeview
xsteg
md5deep,foremost updated
launchers fixed
manual updated
README.txt in the bash scripts directory
Photorec and Testdisk and XSteg in the Forensics menu
Window list and Show Desktop added.
------------------------------------------------
Widows Side:
Wintaylor updated
HexEdit added
Regmon updated
FTKImager updated
Index.html fixed
Photorec
Testdisk
Nigilant32
UsbWriteProtect
- Helix 3 Pro: First Impressions - SANS Computer Forensics, Investigation, and Response. Micro review of a November 2009 update by John Jarocki.
- HelixCE beta rc1 ISO – The “Community Edition” of Helix is downloadable at eCSI Denver eDiscovery and Computer Forensics Experts page. Registration for download link required.
- Katana v1.0 – Kyuzo – Released over at Hack from a Cave. (download source). The good folks at Security Database Tools Watch give us a great summary of key-points for this pen-testing focused distro:
Katana is a portable multi-boot security suite designed for all your computer security needs. The idea behind this tool is to bring together all of the best security distributions to run from one USB drive. Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots.
Included in this distribution are:
* Backtrack 3
* Backtrack 4 beta
* the Ultimate Boot CD
* Organizational Systems Wireless Auditor (OSWA) Assistiant
* Slax 6
* Ophcrack XP
* Ophcrack Vista
* Damn Small Linux
* Damn Vulnerable Linux
Installation
1. Requires USB flash drive of size 8GB or larger with 6GB free space.
2. Download katana-1.0-beta.rar to local disk. Requires 6 GB of free disk space on local downloading system. (NOTE: FAT16/FAT32 partitions cannot accommodate a 6GB file.)
3. Flash drive must be formated FAT32. (OPTIONAL: Create "katana" directory on local disk.)
4. Extract katana-1.0-beta.rar to the "katana" directory and move to USB flash drive OR extract directory to the root of the flash drive.
5. Change directory to the freshly copied /boot directory on the USB device. Make sure you’re in the "boot" directory on the USB device!
6. For Linux/OSX run ./boostinst.sh, for Windows run ./boostinst.bat
7. Make sure computer BIOS allows USB boot. Boot from flash drive. All Done!
- Matriux - The Open Source Security Distribution for Ethical Hackers and Penetration Testers – Yep. Yet another. Security Database Tools Watch summarizes it thusly:
The Matriux Arsenal contains a huge collection of the most powerful and versatile security and penetration testing tools. The Matriux Arsenal includes the following tool / utilities / libraries (The first release will contain only few of the listed tools):
See their page for the full (and to be added) tool watch list. - BackTrack 4 - Released! - Available in both ISO (for DVD sized burning) or VMWare image formats.
ProDiscover Basic Edition Freeware Update and more!
Not sure if everyone noticed this or not but Technology Pathways seems to have quietly slipped a new freebee (lite) version on the interwebs recently:
- Download ProDiscover Basic Edition (Version 6.1). They don’t have their own page and I don’t want to direct link to the download file from their page so head over there and scroll down to the free tools section. Curiously, the “portable” version is still U3 format at version 5. However, I found that if you install the 6.1 version then extract the files to a USB stick it seems to still work “portably.” However your results may vary.
- The also have some wonderful and recent video demos on usage techniques.
Remote System Triage with Indexed Based Search and ProDiscover IR
Demo of ProDiscover Version 6.0 Volume Shadow Copy Remote Image/Preview
Demo of ProDiscover Version 6.0 Indexed Based Search and Regular Expression
Again, head over to the Technology Pathways resources page and download them from there under the Technical Webinars section
Please note that they are in a “WRF” video format which seems to give some folks fits.
To view them, simply head over to Cisco WebEx Support Utilities or specifically this WebEx Player download link to get the player.
F-Response Tactical
Bit of a larger gun than I get to play with at work, but I know lots of IR folks are familiar with it. New release out.
Speaking of Remote Forensics
Peter Kleissner’s post Remote Forensic Software – Online-Überwachung and the Austrian law had just enough detail to get me curious.
…a very good report about the different aspects of remote computer surveillance (including pros/contras, problems, legal questions etc.).
This is especially for our company important, because we are working on the “Remote Surveillance Software”. At DeepSec I presented some of its parts. Of course there is a lot of critics about the usage of a “federal trojan”, however you should read the above document. As they are saying, it is necessary to be in consent with the Verhältnismäßigkeitsgrundsatz (principle of proportionality) which would make it difficult because there are other ways to investigate available.
There is a good summary about the Endbericht zur Online-Durchsuchung written by Univ.-Prof. Dr. Bernd-Christian Funk.
Some issues I want to comment technically (and which I think are very important and missing in the document):
* Seite 13: Verhinderung der Nachahmung “muss jede eingebrachte Komponente in einem hohen Maße einzigartig bzw. hinreichend stark personalisiert sein.”
This would not be software itself, but the used communication servers and protocols. It would be nonsense to develop a new trojan for every suspect, however, it would make sense to have different keys for encrypting the communication and changing investigation protocols for every suspect (e.g. what to look for).
* Seite 93: (im engsten Sinne) als „Suche nach verfahrensrelevanten Inhalten auf Datenträgern, die sich nicht im direkten Zugriff der Strafverfolgungsbehörden befinden, sondern nur über Kommunikationsnetze erreichbar sind“ (Anfragbeantwortung im dt Bundestag)
That means we are searching for data not available through forensic analysis of the hard disk, but for data available only in volatile memory.
It is important to differ between Online Durchsuchung and Online Überwachung, the one means to “read” the hard disk, the other to surveil the suspect. Both are currently illegal, because a search warrant (the first) has the character of a real person making the search warrant and offering the possibility to hand over searched materials freely.
It took me a while, but I think I was finally able to track down a very good English version of the document.
It is a fascinating read and actually refers to US law enforcement and court issues and methods as well.
Forensic/IR Timeline Topics
I myself facing the challenge of sifting through system analysis data and having to reorganize it into a meaningful narrative. It wasn’t easy.
- log2timeline v0.40 released – From the Security Database Tools Watch gang, here are the updates:
Version 0.40
- [CFTL output] Fixed few bugs in the cftl.pm output module, didn’t work in the current CFTL version without these modifications (has been verified to work with CFTL pre-relase version 1.0)
- [EXIF input] Fixed a bug in the exif input module, there was a problem with the format of date variables read by ExifTool library. Added a format string to force the date format to be the same.
- [glog2timeline] Modified the GUI, glog2timeline to make it feature compatible with the CLI interface, added:
- Simple menu structure
- Added the possibility to add timeskew information
- Added the possibility to prepend text to output (a la -m)
- Added the possibility to perform most of the operations through the menu structure
- Added the possibility to check for latest version (version check)
- Added a simple progress bar and information about the artifact being processed [more work needs to be done here]
- Added the possibility to define the timezone of the suspect drive (list all available timezones sorted, using UTC as the default zone)
- [List library] Modified the name of the Log2t::List library to Log2t::Common so that the library can be used for all common functions that are shared between more than one module (instead of only focusing on listing directory entries)
- [BinRead library] Fixed few bugs in the BinRead library that dealt with Unicode reading
- [WIN_LINK input] Modified the text output of win_link input module, to make the output more readable
- [RECYCLER input] Modified the recycler.pm so that it reads the recycle bin directory instead of the INFO2 file. Added the possibility to read $I files as well (the newer format as used in Vista, Windows 7 and later operating systems from Microsoft). The new input module reads the directory and determines if it is examining the older or newer version of the recycle bin and parses accordingly
- [timescanner] added a banner to timescanner, giving people warning about the tool, since there have been reports of it being unreliable in parsing all files that it should be able to do. This banner will stay until the tool has been fixed (coming version)
- [timescanner] added the possibility to add timezone information, as well as to add a timezone related functions to be used by libraries
- [timescanner] Fixed a bug, forgot to close the input module after parsing an artifact (creating some problems)
- [USERASSIST input] fixed a bug in the userassist module. It crashed if it encountered a registry file it was unable to load (eg NTUSER.DAT.LOG), added a check for that, so timescanner will not die when he reaches such a file
- [FIREFOX3 input] added an extra check in the verify routine to double check that we are in fact examining a FF3+ history database, now connecting to the database to see if there is a moz_places table there before proceeding. Added few error message checks as well, to improve the error handling of the verification. Fixed a bug where Firefox 3 history files were not included in the timescanner tool (had to do with the verification and improper check if the database was locked)
- [log2timeline] Added the possibility to define the timezone of the suspect drive (-z ZONE parameter). The default timezone is local (that is the local timezone of the analysis station). This affects the timesettings of all artifacts found on the system and adjusts it accordingly). The option of "-z list" will print out a list of all available timezones that can be chosen.
- [OXML input] Modified the verify function, only read the ZIP header if the magic value of the file indicates that this is a ZIP file (reduces time needed for the verification function, and therefore reduces the time needed for timescanner)
- [Common library] Added constants to the Common library (BIG_E and LITTLE_E) that are shared with other libraries and modules
- [input modules] changed all input modules that call the BinRead library so that they initialize the endian. This fixes a bug in timescanner, since some input module set the BinRead to big endian, which is not changed back when another input module that reads in a little endian was started (making verification and all uses of binary reading wrong, leading to the fact that timescanner did not parse the files)
- [Time library] Added a function called fix_epoch to take an epoch value, and use the supplied timezone settings to modify it to UTC
- [input modules] Modified the input modules so that they all now output the timezone information in UTC
- [Setupapi input] Modified the SetupAPI input module, considerable changes made in the way that the file is parsed
- [log2timeline] All input modules now output their time in UTC, irrelevant of the method of storing time entries. This makes it vital to add a parameter to define the timezone of the suspect drive
- [evt] Added a new input module that is capable of parsing Windows 2000/XP/2003 Event Log files (mostly rewrite of evtparse.pl by Harlan Carvey)
- It’s about time.... – Windows Incident Response blog. New Decode64 timeline helper tool from Harlan that takes “…a string representing the date/time stamp (analyst pastes it into a textfield...how easy is that??) and with the push of a button, translate that to both a Unix epoch time, as well as to a human-readable time, in GMT format.”
- More Timeline Creation Techniques – Windows Incident Response blog.
- Some Analysis Coolness – Windows Incident Response blog. (More timeline thoughts and linkage).
- Clocks – CYB3RCRIM3 blog. Interesting legal cases dealing with timeline and file-dates in the appeals process. Reminders of the challenges faced, not just technically, by IR/forensic folks as they build their analysis.
- TechnoSecurity 2009: Forensics Aspects of File System Time Attributes - Head over to the Technology Pathways resources and download the zip package. It’s a whopper at 113 MB but you get several PDF training documents as well as a collection of freeware timeline tools to use and are highlighted. This is a timeline technique study package well worth the time to dive into.
- Attribute Changer shell extension - (freeware) – From Petges.lu is just one (of many such) utilities that might be used to “fuzz” forensics and IR responders. Can be used “…to change all kind of file and folder attributes, date, time and even NTFS compression.” Not an 3vil thing in itself. Just a highlight of the work faced by the good guys. More about the tool over at 4sysops post “FREE: Attribute Changer – Change file attributes recursively on multiple files and folders”
Browser Forensics
- Windows Incident Response: Browser Stuff.
- Other Interesting Items (Browser Session Restore Forensics-PDF) – Harry Parsonage details some neat Firefox facts. Spotted over at the Forensics from the sausage factory.
- Firefox 3 History Recovery - Get Firefox 3 History Recovery at SourceForge.net. More information about the tool over at this ff3hr — PenTestIT post.
- Voyage - A Firefox Addon to Rediscover Your Web Browsing History. I’m intrigued to see if this tool or even History Tree (Add-ons for Firefox) might present an alternative web-activity time-line view to show how the web-surfing activity transpired. Clever visualization maps for sorting complex data. Could be inspirational for other techniques and timeline presentations as well.
- .GooglePasswordDecryptor - (freeware) – by Nagareshwar Talekar could be used to extract Google-related information from browser data. From PenTestIT where I spotted this tool:
…free tool to recover stored Google account passwords by various applications. Most of the Google’s desktop applications such as GTalk, Picassa etc store the account passwords in their private encrypted store to prevent hassale of entering the password everytime. GooglePasswordDecryptor goes through each of these application’s encrypted stores and decrypts this Google account password.
Google uses the single centralized account for managing all of its services such as Gmail, Picassa, GTalk, iGoogle, Desktop Search etc. Since all of these core services are controlled by one account, losing the password will easily make one’s life miserable. If you try the Google password recovery service will turn out to be useless, unless you have setup the secondary account for receiving the password and you remember all the personal details that you have entered at the time of account creation.
-Google Talk
-Google Picassa
-Google Desktop Seach
-Gmail Notifier
-Internet Explorer (all versions from 4 to 8)
-Google Chrome
Windows Systems Tools and Knowledgebase
In-flight refueling completed…the mission continues!
- FlashCookiesView - (freeware) – NirSoft - “View the Flash cookies (Local Shared Object /.sol files) stored in your computer.” Ever since my Tip: Managing Flash Cookies post, I’ve had a number of tools and techniques to get at the Flash cookie store on a Windows system, but none were very helpful when working on a system, exporting data, or particularly, working on an off-lined or imaged system. Nir finally puts a nail in that coffin. Awesome tool. Add it to your toolbox.
- SysKey and the SAM – Push the Red Button blog. In depth info on the SAM hive and information.
- De-Mystifying Windows Vista & Windows 7 Registry – Good primer material.
- "Data Carving" and Metadata – CYB3RCRIM3 blog. Legal case regarding forensics focus on meta-data recorded by the Windows system..
- ForensicKB bloggist Lance has been on a tear providing great reviews on key Windows system elements such as
- WinPrefetchView – (new) – NirSoft - “…is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot. The main window of WinPrefetchView contains 2 panes: The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it. These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf' filename, which can show you the list of files that are loaded during Windows boot process.” Another brand spanking new utility. Supports all Windows systems from XP to Windows 7. Another tool I can think of a number of uses for in incident response. Also supports off-line system examination of this file.. See also: How To View Superfetch Cache Contents in Windows 7 - Windows 7 hacker
- New Format for UserAssist Registry Keys - Didier Stevens. More details in the aforementioned Into The Boxes PDF. You can use Didier’s special version of UserAssist tool on Windows 7 and Windows Server 2008 R2 systems.
- Fail-Safe Argument – CYB3RCRIM3 blog. The investigators must have done it!
- Working with Volume Shadow Copies – Windows Incident Response blog. Great in-depth material at cracking open the Windows Volume Shadow copies for IR/Forensics review.
- Quickpost: SelectMyParent or Playing With the Windows Process Tree - Didier Stevens.
The WoanWare Factory
Well done Mr. Woan! Well done.
BitLocker and Password Recovery
TinyApps Blog got me on this hunt a while back. I’ve been letting the issue gain momentum. More FYI stuff than anything else. I’m in the "if you have physical access to the machine then sure, all bets are off” camp.
Security Related
- VirusTotal Uploader 2.0 – Add-in tool to allow right-click context menu sends of suspicious files up to VirusTotal.
- Updating Microsoft Security Essentials without Using Windows Update [Tips] - Windows 7 hacker. CLI option if the GUI doesn’t work (or if you are batch-file crazy).
- SpyDLLRemover Portable 3.0 Released - PortableApps.com - Portable software for USB drives. Not sure how it stacks up but is one more USB based AV/AM Tool.
- SIMfill - (new) – Tool from the NIST.gov Computer Security Division. “…a java application that populates Subscriber Identity Modules (SIMs) with reference data and can be used to assess the data recovery capabilities of forensic SIM tools. The package includes an initial set of reference data for use with SIMfill, the source and compiled code, a readme file, a user's guide, and a video demonstration.” Spotted at this MySecured.com post.
- Apple vs. Kaspersky - Functionality Wins – Digital Soapbox. When two good products encounter mission-definition conflict, it is almost always the user who looses in the name of “security”.
Reheated DECAF
I’m not going to say anything else. I think I covered my personal feelings in this DECAF and COFEE, and a brush post.
…and finally…PDF Failure (again)
Mission complete!
Off for nappies!
--Claus V.
